Hackers can abuse LTE protocols to knock phones off networks

When you travel between countries, the mobile operators that temporarily provide service to your phone need to communicate with your operator back home. This is done over a global interconnection network where most traffic still uses an ageing protocol, called SS7, that's known to be vulnerable to location tracking, eavesdropping, fraud, denial of service (DoS), SMS interception and other attacks.

With the advance of Long-Term Evolution (LTE) networks, some roaming traffic is switching to a newer protocol, called Diameter, that's more secure than SS7 in theory, but which still allows for attacks if it's not deployed with additional security mechanisms.

For example, the Internet Protocol Security (IPsec), a secure communications suite that works by authenticating and encrypting each IP (Internet Protocol) packet, has been standardized for Diameter. But while its implementation is mandatory, its use is optional.

In practice, IPsec is rarely used on the global interconnection network for various reasons and this means that many of the attacks that are possible with SS7 are also possible or have equivalents in Diameter, according to researchers from Nokia Bell Labs and Aalto University in Finland.

The researchers ran experiments on a test network set up by an unnamed global mobile operator and simulated attacks launched from Finland against U.K. subscribers. They found several methods of disrupting service to users, temporarily and permanently, and even a method that could affect important nodes that provide service to entire regions. The results were presented Friday at the Black Hat Europe security conference in London.

First off, attackers would need to gain access to this private interconnection network (IPX) in order to attack another operator's systems or subscribers. However, this is not hard to achieve, as multiple incidents have shown in the past, and there are different ways to do it.

Attackers could, for example, pose as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by existing operators, some of which are, sadly, accessible from the internet, when they shouldn't be.

If the attacker is actually a government, it could leverage its power over local operators to gain access through them. And if that doesn't work, bribing an employee from an operator is also an option.

Finally, access could be bought from other hackers that already have it. There have been services on the "dark" market that sold access to this network and there will probably be more in the future.

An operator's LTE network is made up of cell towers; nodes called MMEs (Mobility Management Entities) that provide session management, subscriber authentication, roaming and handovers to other networks; and a home subscriber server (HSS), the crown jewel that holds the master subscriber database. At the edge it has Diameter Edge Agents (DEAs), which serve as links to the interconnection network via IPX providers.

In order to pull off any attack on telecom networks, attackers need to know the victim's international mobile subscriber identity (IMSI), a unique number that's stored in the subscriber's SIM card. The researchers showed that attackers can easily obtain this number once they're on the IPX network by masquerading as a Short Message service center (SMSC) that's trying to deliver a text message to a phone number.

The attackers only need to know the victim's phone number in international format -- this is known as the Mobile Station International Subscriber Directory Number (MSISDN) -- and the DEA of the victim's operator. They can then send a routing information request through the DEA to the operator's HSS, which will respond with the subscriber's IMSI as well as the identity of the MME the subscriber is connected to. This provides the information needed to launch future attacks.

Such an attack involves the attackers masquerading as a partner's HSS and sending a Cancel Location Request (CLR) message to the victim's MME. This will cause the MME to disconnect the subscriber.

CLR messages are used on a regular basis inside the network when subscribers switch from one MME to another because of a change in location. However, the interesting aspect of this attack, aside from forcing an MME to detach a subscriber from the network, is that when the subscriber re-attaches, their device will send 20 different messages to the MME.

This amplification effect might pose risks to the MME if, for example, attackers force the detachment of hundreds of subscribers at the same time, although the researchers didn't test how many messages it would take to overload an MME. If an MME becomes unresponsive it would be bad, because there are only a few of them in a network and they serve large areas.

A second DoS technique devised by the researchers involves impersonating an HSS and sending an Insert Subscriber Data Request (IDR) to the victim's MME with a special value that means no service. This will permanently detach the user from the network because their subscription will be changed in the MME's records. Recovering from this can take a long time because the subscriber needs to call his mobile operator and sort out the situation.

The researchers also showed two other DoS techniques involving other types of Diameter messages, but they're only temporary as the user can recover by restarting their mobile device.

People seem to think that all will be better with LTE and Diameter, but in reality it will be different, not better, if mobile operators don't take additional security measures, said Silke Holtmanns, a security specialist with Nokia Bell Labs, during her talk at Black Hat Europe.

According to her, deploying IPsec is hard because not all traffic on the IPX network uses the Internet Protocol, and maintaining the kind of large public key infrastructures required by IPsec is costly for operators in developing countries. Nodes are also difficult to upgrade, and then there's the tough question of who should be in charge of creating and hosting the root certificates required by IPsec, which is likely to cause disputes between countries, she said.

And even if IPsec somehow becomes widely used, it still doesn't protect against attacks launched with the help of hacked nodes, rented network access, bribed employees or governmental ties, because these methods abuse legitimate access to the network.

According to the researchers, the best defense is a combination of measures. Operators should monitor the traffic on their networks and the traffic of their tenants and they should filter messages at their DEAs by using signaling firewalls. They should also harden their nodes, share their security experiences with other operators and put business rules in place so they can efficiently deal with misuse.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.